[PSA] Newer TP-Link Routers send ALL your web traffic to 3rd party servers

I recently enabled a DNS gateway to be able to see requests from my router, and network devices. Was surprised to find 80K + requests (in 24 hours) out to an Avira “Safe Things” subdomains *.safethings.avira.com (far more than any other server).

Digging into this more, I found that it is related to the built-in router security “Home Shield” that ships with newer TP-Link routers - https://oem.avira.com/en/solutions/safethings-for-router-manufacturers

Here is the kicker though, I have the Avira / Home Shield services completely turned off (I wasn’t even subscribed to their paid service for it). The router doesn’t care, and sends ALL your traffic to be “analyzed” anyhow. See this response from TP Link (towards bottom of review) from last year - https://www.xda-developers.com/tp-link-deco-x68-review/#:~:text=TP%2DLink%20says%20the%20network%20activity Update: I emailed reviewer to confirm TP-Link never updated him after.

I contacted support about this again, and was given a non-answer about how the requests are to check subscription status. 80K + requests a day to check subscription status? Why would it even need to do 1 single subscription check, if I’m not enabling any functionality that is behind a subscription paywall? Also the rate of requests is not constant, it is higher when my internet traffic is higher. To me this lack of consistent answer / response from TP-Link is as concerning as the requests themselves.

I’m not seeing much online about this issue, as I don’t think many people realize it is even occurring (since traffic is outgoing straight from router, as opposed to an individual computer). Hoping to gain some attention on this issue and get a real answer / response from TP-Link about what exactly is going on here. As well as a concrete timeline and promise for a fix to stop these outgoing requests, when we aren’t even using their anti-virus services.

Edit: Additional details, this is on their WiFI 6 AX3000 (Archer AX55) Router. From the XDA Review looks like this is also happening on their Deco series. If you want to easily check your own router, you can use any DNS Gateway (NextDNS, Cloudflare Gateway Pi-Hole etc.) Just be sure to set the DNS servers under “Advanced->Network->Internet->Advanced Settings” because the DHCP DNS server setting will only apply to the devices inside the network, not the router itself.

Edit #2: I’ve also contacted Avira directly regarding the endpoints, in the hope that they’ll be more straightforward than TP-Link about the purpose. Will update here when I receive a response. Update: Avira support got back to me and said they couldn’t answer any questions because I’m not a paying customer. So they can collect data, for free, but not tell me what the data is…

Edit #3: If anyone knows of good industry contacts, who can dig into this more or get real answers, please send a message! I’ve seen GamerNexus brought up a few times, but don’t see any contact method.

Update: Temporary Fix!

Discovered this late, but in case someone gets here from Google, etc. I noticed that if I block the *.safethings.avira.com subdomains, then reboot the router, this seems to prevent it going into the retry-loops when DNS lookup fails. There must be a flag that is set in-memory if the first time the router is ever able to successfully contact the domains? Rebooting after blocking prevents this flag ever getting set. So without the retries involved, this hugely reduced the router CPU usage when blocking for me. The router is actually now attempting requests less than when not blocked at all.

Beta Firmware Update

TP-Link has posted links to beta firmware that claims to fix the issue. Note: It hasn’t been verified whether the update actually reduces requests to Avira, or simply caches the DNS query (then makes requests directly to IP) - https://www.tp-link.com/us/support/faq/3329/

Press Release by TP-Link Korea

Thanks to /u/Lord_Buffum for sharing this - https://www.tp-link.com/kr/press/news/19964/

Essentially they say that the frequency (not existence) of DNS requests is a bug that will be fixed, but never explain WHY the router needs to contact Avira with HomeShield disabled. To me this adds almost no reassurance or new info. We already knew Avira is used for HomeShield, and that DNS lookups to Avira are to get the IP address. What we don’t know is 1) Why the requests are being made with the service disabled, and 2) What data is even being sent in the requests (and why). Translated relevant bits below -

  1. TP-Link HomeShield uses AVIRA services to protect its customers’ networks from cybersecurity threats. AVIRA is a global cybersecurity software company based in Germany, now a brand of the Norton LifeLock group (www.avira.com).

Because this service operates by accessing the AVIRA Cloud service, the router periodically checks the AVIRA Cloud IP address. The router sent a DNS query to check this IP address. In order for the router to continue to use AVIRA cloud services, it is necessary to periodically send DNS queries as it must be able to access AVIRA’s IP.

However, as a result of examining the software, we found a defect in the DNS request logic where requests occur frequently, and our TP-Link has optimized the software to reduce such frequent queries. Customers will be able to update the firmware of these products soon.

  1. DNS query is to query a domain name, and send a DNS request to request the domain name of the AVIRA server.

As a DNS query, no personal information is included in these requests.

I also have tried blocking / redirecting the DNS queries, but this results in the router getting stuck in retry loop (thousands of requests a minute), and a big spike in router CPU usage as a side effect. The fix really needs to come from TP-Link.

Edit: See my temporary work-around at bottom of post!

Update: TP-Link says the network activity is due to “the Avira cloud data base [distinguishing] whether [the network request is] secure data or malware.” A firmware update is in the works that will turn this functionality off if no Avira network features are enabled in the app, but there is no estimated timeline for that yet.

Who greenlit shipping this? If non-subsribers still send EVERY request to TPLink aren’t wasting a tremendous amount of resources unless they plan to do something else with the data?

This is wild, and I hope some industry press picks up on this soon.

Thank you for bringing this and talking about it. Just thinking about this makes me feel really bad and angry.

But then I’m used to ISPs routing all traffic to specific city hundreds of kilometers away as the “gateway to the world” so that the traffic can come back to city near me… Remote connecting to PC 10 km apart results in 100 ms of delay. Plus they scan all your requests and warn you when you try to open website that they think is malicious. Add the constant telemetry from everything including Windows, antiviruses etc and the TP-Link issue doesn’t seem that outrageous…

At this point I think we NEED a law that forces companies to let you easily turn off ALL the traffic that is not essential to the device/app to work correctly. Same thing as cookies but extended for devices (like routers) and apps (like Windows and antiviruses).

God… i just bought a tp-link router

If you think your router does shady things, replace it’s firmware with OpenWRT. Nothing else will stop it’s malicious behavior.

sounds like another case for gamers nexus to publicly roast the company

/facepalm

Ive been using a tplink for a while, I wondered why when I switched to an ISP router that was ‘worse’ seemed to perform better.

God, fuck these middle management anti consumer bullshit decisions.

Wouldn’t this be a super bad breach of privacy for sensitive data, like banking and health info?

Thankfully the only thing I’ve purchased from TP-Link are their switches

I have the Archer AX5400 in bridged mode, pfsense as a router. With all routing disabled, mine should not be able to do this right?

u/lelldorianx you may want to look into this !

Not the first time they make negative headlines. Eg. a few years ago there was another issue where they abused public NTP resources.

In the end, Tp-Link is cheap china trash with little updates and no support. I would never buy anything complex and internet-connected like a residential gateway (“router”) from them.

TP-Link has a history of generating a ton of useless DNS requests, even after disabling their “dns helper” services.

I’m looking at an older model that generated 9000 queries to tp-link.com in the past 24 hours.

I’m also running it behind another device so I do see everything it’s sending.

And this is why the first requirement I have when buying a new router is “will it run an open source firmware”.

This is why I never use those “all in one” wifi systems. You NEED OPNsense/Pfsense as your primary router/firewall, these fancy wifi 6/6E systems can only be trusted to run in bridge mode.

Write to Detlev Grell, chief editor of the (best) computer magazine in Germany (Europe), c’t and tell him your findings. They will probably make an article about it.

[email protected]

use any DNS Gateway (NextDNS, Cloudflare Gateway Pi-Hole etc.) Just be sure to set the DNS servers under “Advanced->Network->Internet->Advanced Settings” because the DHCP DNS server setting will only apply to the devices inside the network, not the router itself.

SO much this. Muggles, and even a lot of tech saavy folks, never even think to check their router DNS settings. Also +1 for mentioning nextdns.io A subscription to that is one of the best $20/yr you can spend. I’m in my 3rd year with nextdns and there have been many times it blocked something that uBlock origin and whatever PC security suite I use have missed.

A couple of years ago, I bought a cheap $35 router from Amazon. As I was going thru the settings when I first got it (as I do with literally every electronic device I get - review every single setting of every single settings page), I noticed it had an IP address pre-programmed for the WAN DNS. I first set it to DHCP and then rebooted the router, only to find that IP was back in the WAN DNS after reboot. pingtool.org revealed the IP is located in China. Next, I set the WAN DNS to 1.1.1.1 instead of the pre-programmed IP, rebooted and it saved the 1.1.1.1 setting after reboot. At least 190 other people bought the router, and it irks me that nearly all of them probably have no idea all their DNS requests are being routed thru China.

One more reason to run your own router with a pfSense box

Is there a way to prevent this until it is addressed? I just bought an AX12000 at Costco a few weeks ago. I thought this was the best rated one :confused: Not even sure what I would get instead. Is installing dd-wrt or something the only solution? I’m a noob when it comes to networking.

Also saw someone say don’t use your ISP’s DNS. What’s the benefit of this? Should I pay for one?